Polygon Zero’s mission is simple: to use zero-knowledge proofs to scale Ethereum to a billion users, without compromising decentralization or security. Achieving this requires fast and efficient proof systems. Today, we’re excited to share Plonky2, a major milestone for zero-knowledge cryptography.
Plonky2 is a recursive SNARK that is 100x faster than existing alternatives and natively compatible with Ethereum. It combines PLONK and FRI for the best of STARKs, with fast proofs and no trusted setup, and the best of SNARKs, with support for recursion and low verification cost on Ethereum.
Plonky2 represents the latest step in Polygon’s ongoing commitment to building the future of Ethereum, and we’re proud to share our work with the Ethereum community.
If zero-knowledge proofs have a superpower, it’s recursion. SNARKs can verify arbitrary computations, and, since verifying a SNARK is a computation, SNARKs can verify other SNARKs.
To see why that’s useful, suppose that we want to prove that a batch of 1,000 transactions are valid. Generating a single proof to verify 1,000 transactions at once would be expensive and time-consuming.
Instead, we can take 1,000 machines and generate 1,000 proofs in parallel, one for each transaction. Next, we can take these transaction proofs and recursively aggregate them by generating a layer of recursive proofs, with each one verifying two transaction proofs. We repeat this process until we’re left with a single proof that verifies 1,000 transactions.
The recursive approach is faster, less resource-intensive, and can be more decentralized.
Recursive proofs are critical for blockchain scalability. When we started Mir (now Polygon Zero) in 2019, it took two minutes on a fast computer to generate a single recursive proof. 2020 brought recursive proofs to Ethereum with 60 second proving times, and the invention of Halo delivered faster recursive proofs, but without Ethereum compatibility.
In 2021, we had an audacious goal: sub-1 second recursive proofs on Ethereum. We realized that FRI, the polynomial commitment scheme used in STARKS, could offer a significant performance improvement for recursive SNARKs. At the time, this wasn’t obvious. Fractal, the only existing implementation of recursive FRI, took about 10 minutes to generate a proof.
However, FRI has some exciting properties. It allows us to use 64-bit fields, and our team discovered the Goldilocks Field, whose modulus enables extremely efficient field arithmetic on modern CPUs. When combined with PLONK, FRI allows us to write custom gates with many more wires, so we can write circuits that are optimized for efficient recursion.
This combination of mathematical insight, deep expertise in zero-knowledge cryptography, and amazing low-level optimizations allowed us to make a significant breakthrough. A recursive proof on Plonky2 takes just 170 milliseconds on a Macbook Pro, a 100x improvement over existing alternatives.
Plonky2 also allows us to speed up proving times for proofs that don’t involve recursion. With FRI, you can either have fast proofs that are big (so they’re more expensive to verify on Ethereum), or you can have slow proofs that are small. Constructions that use FRI, like the STARKs that Starkware uses in their ZK-rollups, have to choose; they can’t have maximally fast proving times and proof sizes that are small enough to reasonably verify on Ethereum.
Plonky2 eliminates this tradeoff. In cases where proving time matters, we can optimize for maximally fast proofs. When these proofs are recursively aggregated, we’re left with a single proof that can be verified in a small circuit. At this point, we can optimize for proof size. We can shrink our proof sizes down to 45kb with only 20s of proving time (not a big deal since we only generate when we submit to Ethereum), dramatically reducing costs relative to Starkware.
Excitingly, Plonky2 is natively compatible with Ethereum. Plonky2 requires only keccak-256 to verify a proof. We’ve estimated that the gas cost to verify a plonky2 size-optimized proof on Ethereum will be approximately 1 million gas.
However, this cost is dominated by the CALLDATA costs to publish the proof on Ethereum. If CALLDATA is repriced in EIP-4488, the verification cost of a plonky2 proof will drop to between 170-200k gas, which could make it not only the fastest proving system, but also the cheapest to verify on Ethereum.
Last year, Polygon laid out its commitment to supporting ZK scaling. This represented an important transition, as Polygon moved from providing an essential solution for the present to building the future of Ethereum scaling. Plonky2 is an important step on this journey, and a major breakthrough for the entire space.
ZK L2s have benefited from a lot of hype, but current solutions rely on cryptographic primitives that are inefficient and limit scalability. Ultimately, L2’s will compete on throughput and cost, and Plonky2 gives the Polygon ecosystem the opportunity to build the most performant and scalable L2s.
What’s the future of DeFi? How can blockchain projects shake the reputation for being bad for the environment? What in the world are zero knowledge proofs? How can Web3 attract and accommodate the next billion users? When Flippening? You want to know the answers and so do we. That’s why Polygon is launching Polygon Pod […]
We’re in the early innings when it comes to enterprise needs for blockchains. Whether it’s supply chain management or marketplaces, the potential for secure business transactions on a public ledger has enormous implications. That’s why we’re pleased to announce Polygon Nightfall, a blockchain solution that leverages cutting edge Optimistic-Zero Knowledge technology to give businesses an […]
Today marks the start of a new, sustainable era for the Polygon ecosystem -- the core team has committed to eliminating all of the network’s carbon debt going back to inception and making the chain climate positive into the future. Polygon’s Green Manifesto announced today is part of a broader vision for sustainable development that […]
At Polygon, we believe that putting people firmly in control of their digital identities is at the core of Web3’s promise to empower users over networks. We have been working behind the scenes to fulfill this promise and today are proud to introduce Polygon ID, the self-sovereign, decentralized and private identity for the next iteration […]
This is Dalip, head of Developer Relations at Polygon. These past few weeks have been tough on everyone in Web3. But when the going gets tough, the tough get building. That’s why today we are announcing #WAGMIonPolygon, a new series for developers available on our YouTube channel. The program will focus on educational content, expert […]
Hola readers! Roland-Garros, an eTennis competition series by BNP Paribas, will launch its first NFT collection on Polygon, Chainsmokers shared their album royalties via NFT drops on our network, and the Polygon PoS bridge maintains its position in the Top 5 most used dApps on Ethereum. Let’s dive in. Key takeaways: There was an increase […]
MSP Recovery, a $32.6 billion publicly-traded U.S. company leading the healthcare reimbursement recovery industry, has partnered with Tokenology to launch a healthcare claims tokenization platform that will help eliminate fraud and benefit patients, care providers and insurers alike. LifeChain will run on Polygon, leveraging the carbon-neutral network’s low transaction fees, high throughput and a suite […]